9.2.4. Using a Key-Based Authentication

To improve the system security even further, you can enforce the use the key-based authentication by disabling the standard password authentication. To do so, open the /etc/ssh/sshd_config configuration file in a text editor such as vi or nano, and change the PasswordAuthentication option as follows:

PasswordAuthentication no

To be able to use ssh, scp, or sftp to connect to the server from a client machine, generate an authorization key pair by following the steps below. Note that keys must be generated for each user separately.

Important: Do Not Generate Key Pairs as root

If you complete the steps as root, only root will be able to use the keys.

Tip: Backup Your ~/.ssh/ Directory

If you reinstall your system and want to keep previously generated key pair, backup the ~/.ssh/ directory. After reinstalling, copy it back to your home directory. This process can be done for all users on your system, including root.

9.2.4.1. Generating Key Pairs

To generate an RSA key pair for version 2 of the SSH protocol, follow these steps:

Important: Never Share Your Private Key

The private key is for your personal use only, and it is important that you never give it to anyone.

9.2.4.2. Configuring ssh-agent

To store your passphrase so that you do not have to enter it each time you initiate a connection with a remote machine, you can use the ssh-agent authentication agent. If you are running GNOME, you can configure it to prompt you for your passphrase whenever you log in and remember it during the whole session. Otherwise you can store the passphrase for a certain shell prompt.

Make sure you have the openssh-askpass package installed. If not, refer to Section 1.2.2, “Installing” for more information on how to install new packages in Fedora.

Select System → Preferences → Startup Applications from the panel. The Startup Applications Preferences will be started, and the tab containing a list of available startup programs will be shown by default.

Startup Applications Preferences

Figure 9.1. Startup Applications Preferences

Click the Add button on the right, and enter /usr/bin/ssh-add in the Command field.

Adding new application

Figure 9.2. Adding new application

Click Add and make sure the check box next to the newly added item is selected.

Enabling the application

Figure 9.3. Enabling the application

Log out and then log back in. A dialog box will appear prompting you for your passphrase. From this point on, you should not be prompted for a password by ssh, scp, or sftp.

Entering a passphrase

Figure 9.4. Entering a passphrase

To save your passphrase for a certain shell prompt, use the following command:

~]$ ssh-add
Enter passphrase for /home/john/.ssh/id_rsa:

Note that when you log out, your passphrase will be forgotten. You must execute the command each time you log in to a virtual console or a terminal window.